82a491bac8
- complete rewrite of banIP to support nftables - all sets are handled in a separate nft table/namespace 'banIP' - for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook - full IPv4 and IPv6 support - supports nft atomic set loading - supports blocking by ASN numbers and by iso country codes - 42 preconfigured external feeds are available, plus local allow- and blocklist - supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) - auto-add the uplink subnet to the local allowlist - provides a small background log monitor to ban unsuccessful login attempts in real-time - the logterms for the log monitor service can be freely defined via regex - auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist - fast feed processing as they are handled in parallel as background jobs - per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains) - automatic blocklist backup & restore, the backups will be used in case of download errors or during startup - automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget - supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs - provides comprehensive runtime information - provides a detailed set report - provides a set search engine for certain IPs - feed parsing by fast & flexible regex rulesets - minimal status & error logging to syslog, enable debug logging to receive more output - procd based init system support (start/stop/restart/reload/status/report/search) - procd network interface trigger support - ability to add new banIP feeds on your own - add a readme with all available options/feeds to customize your installation to your needs - a new LuCI frontend will be available in due course Signed-off-by: Dirk Brenken <dev@brenken.org>
99 lines
2.8 KiB
Bash
Executable file
99 lines
2.8 KiB
Bash
Executable file
#!/bin/sh /etc/rc.common
|
|
# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables
|
|
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
|
|
# This is free software, licensed under the GNU General Public License v3.
|
|
|
|
# (s)hellcheck exceptions
|
|
# shellcheck disable=all
|
|
|
|
START=30
|
|
USE_PROCD=1
|
|
|
|
extra_command "report" "[text|json|mail] Print banIP related set statistics"
|
|
extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets"
|
|
|
|
ban_init="/etc/init.d/banip"
|
|
ban_service="/usr/bin/banip-service.sh"
|
|
ban_funlib="/usr/lib/banip-functions.sh"
|
|
ban_pidfile="/var/run/banip.pid"
|
|
ban_lock="/var/run/banip.lock"
|
|
|
|
[ ! -r "${ban_funlib}" ] && exit 1
|
|
[ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0
|
|
[ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1
|
|
[ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}"
|
|
|
|
boot() {
|
|
: >"${ban_pidfile}"
|
|
rc_procd start_service "boot"
|
|
}
|
|
|
|
start_service() {
|
|
if "${ban_init}" enabled; then
|
|
[ "${action}" = "boot" ] && [ -n "$(uci_get banip global ban_trigger)" ] && return 0
|
|
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
|
|
f_rmpid
|
|
procd_open_instance "banip-service"
|
|
procd_set_param command "${ban_service}" "${@:-"${action}"}"
|
|
procd_set_param pidfile "${ban_pidfile}"
|
|
procd_set_param nice "$(uci_get banip global ban_nicelimit "0")"
|
|
procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")"
|
|
procd_set_param stdout 1
|
|
procd_set_param stderr 1
|
|
procd_close_instance
|
|
else
|
|
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
|
|
f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'"
|
|
rm -rf "${ban_lock}"
|
|
fi
|
|
}
|
|
|
|
reload_service() {
|
|
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
|
|
f_rmpid
|
|
rc_procd start_service "reload"
|
|
}
|
|
|
|
stop_service() {
|
|
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
|
|
"${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
|
|
f_genstatus "stopped"
|
|
f_rmpid
|
|
}
|
|
|
|
restart() {
|
|
stop_service
|
|
rc_procd start_service "restart"
|
|
}
|
|
|
|
status() {
|
|
status_service
|
|
}
|
|
|
|
status_service() {
|
|
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
|
|
f_getstatus
|
|
}
|
|
|
|
report() {
|
|
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
|
|
f_report "${1:-"text"}"
|
|
}
|
|
|
|
search() {
|
|
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
|
|
f_search "${1}"
|
|
}
|
|
|
|
service_triggers() {
|
|
local iface trigger delay
|
|
|
|
trigger="$(uci_get banip global ban_trigger)"
|
|
delay="$(uci_get banip global ban_triggerdelay "5")"
|
|
PROCD_RELOAD_DELAY=$((delay * 1000))
|
|
|
|
for iface in ${trigger}; do
|
|
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "start"
|
|
done
|
|
procd_add_reload_trigger "banip"
|
|
}
|